On 2023-03-28 04:13, Rowland Penny via samba wrote:>
>
> On 27/03/2023 23:55, Gary Dale via samba wrote:
>> My Samba setup was working until several months ago. I didn't do
>> anything to it that I can recall but it stopped letting my Windows
>> VMs connect. When I use smbclient to try to connect, I get session
>> setup failed: NT_STATUS_NO_LOGON_SERVERS
>>
>> My Internet searches have revealed that this is a comon and
>> long-standing issue: frequently reported but I've had no luck
finding
>> anyone posting a solution.
>>
>> I'm running Debian/Bullseye on an AMD64 machine. This is also an
NFS
>> server as that's how I connect from my various Linux devices. I
only
>> discovered the issue when I tried to install a piece of software on a
>> Windows 10 VM. I have no problem logging into the VMs using domain
>> accounts.
>>
>> I've verified that it also affects a Windows 7 VM so it's not
problem
>> wth the VM. That led me to trying to debug the server. The Samba DC
>> wiki suggests trying smbclient //localhost/netlogon -UAdministrator
>> -c 'ls', which throws the error.
>>
>> Interestingly smbclient -L localhost -U% works:
>> # smbclient -L localhost -U%
>>
>> ????????Sharename ??????Type ?????Comment
>> ????????--------- ??????---- ?????-------
>> ????????netlogon ???????Disk ?????Network Logon Service
>> ????????sysvol ?????????Disk
>> ????????shares ?????????Disk
>> ????????archives ???????Disk
>> ????????communications ?Disk
>> ????????office ?????????Disk
>> ????????graphics ???????Disk
>> ????????hardware ???????Disk
>> ????????install ????????Disk
>> ????????media$ ?????????Disk
>> ????????system ?????????Disk
>> ????????tools ??????????Disk
>> ????????utility ????????Disk
>> ????????webpages$ ??????Disk
>> ????????develop ????????Disk
>> ????????backup ?????????Disk
>> ????????IPC$ ???????????IPC ??????IPC Service (Samba 4.13.13-Debian)
>> SMB1 disabled -- no workgroup available
>>
>> Can anyone offer any advice on what may be the problem?
>>
>> Below is the output with debug information turned up.
>>
>> smbclient -d=5 //localhost/netlogon -U Administrator
>> INFO: Current debug levels:
>> ??all: 5
>> ??tdb: 5
>> ??printdrivers: 5
>> ??lanman: 5
>> ??smb: 5
>> ??rpc_parse: 5
>> ??rpc_srv: 5
>> ??rpc_cli: 5
>> ??passdb: 5
>> ??sam: 5
>> ??auth: 5
>> ??winbind: 5
>> ??vfs: 5
>> ??idmap: 5
>> ??quota: 5
>> ??acls: 5
>> ??locking: 5
>> ??msdfs: 5
>> ??dmapi: 5
>> ??registry: 5
>> ??scavenger: 5
>> ??dns: 5
>> ??ldb: 5
>> ??tevent: 5
>> ??auth_audit: 5
>> ??auth_json_audit: 5
>> ??kerberos: 5
>> ??drs_repl: 5
>> ??smb2: 5
>> ??smb2_credits: 5
>> ??dsdb_audit: 5
>> ??dsdb_json_audit: 5
>> ??dsdb_password_audit: 5
>> ??dsdb_password_json_audit: 5
>> ??dsdb_transaction_audit: 5
>> ??dsdb_transaction_json_audit: 5
>> ??dsdb_group_audit: 5
>> ??dsdb_group_json_audit: 5
>> lp_load_ex: refreshing parameters
>> Initialising global parameters
>> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
>> (16384)
>> INFO: Current debug levels:
>> ??all: 5
>> ??tdb: 5
>> ??printdrivers: 5
>> ??lanman: 5
>> ??smb: 5
>> ??rpc_parse: 5
>> ??rpc_srv: 5
>> ??rpc_cli: 5
>> ??passdb: 5
>> ??sam: 5
>> ??auth: 5
>> ??winbind: 5
>> ??vfs: 5
>> ??idmap: 5
>> ??quota: 5
>> ??acls: 5
>> ??locking: 5
>> ??msdfs: 5
>> ??dmapi: 5
>> ??registry: 5
>> ??scavenger: 5
>> ??dns: 5
>> ??ldb: 5
>> ??tevent: 5
>> ??auth_audit: 5
>> ??auth_json_audit: 5
>> ??kerberos: 5
>> ??drs_repl: 5
>> ??smb2: 5
>> ??smb2_credits: 5
>> ??dsdb_audit: 5
>> ??dsdb_json_audit: 5
>> ??dsdb_password_audit: 5
>> ??dsdb_password_json_audit: 5
>> ??dsdb_transaction_audit: 5
>> ??dsdb_transaction_json_audit: 5
>> ??dsdb_group_audit: 5
>> ??dsdb_group_json_audit: 5
>> Processing section "[global]"
>> doing parameter netbios name = THELIBRARIAN
>> doing parameter realm = RAHIM-DALE.ORG
>> doing parameter workgroup = RAHIM-DALE
>> doing parameter security = ADS
>> doing parameter dns forwarder = 8.8.8.8
>> doing parameter server role = active directory domain controller
>> doing parameter idmap_ldb:use rfc2307 = yes
>> doing parameter allow dns updates = nonsecure
>> doing parameter server role check:inhibit = yes
>> doing parameter ntlm auth = yes
>> doing parameter winbind enum users = yes
>> doing parameter winbind enum groups = yes
>> doing parameter log file = /var/log/samba/%m.log
>> doing parameter log level = 1
>> doing parameter idmap config * : backend = tdb
>> doing parameter idmap config * : range = 3000-7999
>> doing parameter idmap config RAHIM-DALE:backend = ad
>> doing parameter idmap config RAHIM-DALE:schema_mode = rfc2307
>> doing parameter idmap config RAHIM-DALE:range = 100000-999999
>> doing parameter idmap config RAHIM-DALE:unix_nss_info = yes
>> doing parameter vfs objects = dfs_samba4 acl_xattr recycle
>> doing parameter map acl inherit = yes
>> doing parameter store dos attributes = yes
>> doing parameter template shell = /bin/bash
>> doing parameter template homedir = /home/%U
>> doing parameter username map = /etc/samba/user.map
>> pm_process() returned Yes
>> added interface br0 ip=192.168.1.14 bcast=192.168.1.255
>> netmask=255.255.255.0
>> Netbios name list:-
>> my_netbios_names[0]="THELIBRARIAN"
>> Client started (version 4.13.13-Debian).
>> Opening cache file at /run/samba/gencache.tdb
>> sitename_fetch: No stored sitename for realm 'RAHIM-DALE.ORG'
>> name localhost#20 found.
>> Connecting to 127.0.0.1 at port 445
>> Socket options:
>> ????????SO_KEEPALIVE = 0
>> ????????SO_REUSEADDR = 0
>> ????????SO_BROADCAST = 0
>> ????????TCP_NODELAY = 1
>> ????????TCP_KEEPCNT = 9
>> ????????TCP_KEEPIDLE = 7200
>> ????????TCP_KEEPINTVL = 75
>> ????????IPTOS_LOWDELAY = 0
>> ????????IPTOS_THROUGHPUT = 0
>> ????????SO_REUSEPORT = 0
>> ????????SO_SNDBUF = 2626560
>> ????????SO_RCVBUF = 131072
>> ????????SO_SNDLOWAT = 1
>> ????????SO_RCVLOWAT = 1
>> ????????SO_SNDTIMEO = 0
>> ????????SO_RCVTIMEO = 0
>> ????????TCP_QUICKACK = 1
>> ????????TCP_DEFER_ACCEPT = 0
>> ????????TCP_USER_TIMEOUT = 0
>> session request ok
>> negotiated dialect[SMB3_11] against server[localhost]
>> Enter RAHIM-DALE\Administrator's password:
>> cli_session_setup_spnego_send: Connect to localhost as
>> Administrator at RAHIM-DALE.ORG using SPNEGO
>> GENSEC backend 'gssapi_spnego' registered
>> GENSEC backend 'gssapi_krb5' registered
>> GENSEC backend 'gssapi_krb5_sasl' registered
>> GENSEC backend 'spnego' registered
>> GENSEC backend 'schannel' registered
>> GENSEC backend 'naclrpc_as_system' registered
>> GENSEC backend 'sasl-EXTERNAL' registered
>> GENSEC backend 'ntlmssp' registered
>> GENSEC backend 'ntlmssp_resume_ccache' registered
>> GENSEC backend 'http_basic' registered
>> GENSEC backend 'http_ntlm' registered
>> GENSEC backend 'http_negotiate' registered
>> GENSEC backend 'krb5' registered
>> GENSEC backend 'fake_gssapi_krb5' registered
>> Starting GENSEC mechanism spnego
>> Starting GENSEC submechanism gse_krb5
>> GSE to 'localhost' does not make sense
>> Failed to start GENSEC client mech gse_krb5:
NT_STATUS_INVALID_PARAMETER
>> Starting GENSEC submechanism ntlmssp
>> Got challenge flags:
>> Got NTLMSSP neg_flags=0x62898215
>> ??NTLMSSP_NEGOTIATE_UNICODE
>> ??NTLMSSP_REQUEST_TARGET
>> ??NTLMSSP_NEGOTIATE_SIGN
>> ??NTLMSSP_NEGOTIATE_NTLM
>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> ??NTLMSSP_TARGET_TYPE_DOMAIN
>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> ??NTLMSSP_NEGOTIATE_TARGET_INFO
>> ??NTLMSSP_NEGOTIATE_VERSION
>> ??NTLMSSP_NEGOTIATE_128
>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP: Set final flags:
>> Got NTLMSSP neg_flags=0x62088215
>> ??NTLMSSP_NEGOTIATE_UNICODE
>> ??NTLMSSP_REQUEST_TARGET
>> ??NTLMSSP_NEGOTIATE_SIGN
>> ??NTLMSSP_NEGOTIATE_NTLM
>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> ??NTLMSSP_NEGOTIATE_VERSION
>> ??NTLMSSP_NEGOTIATE_128
>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>> NTLMSSP Sign/Seal - Initialising with flags:
>> Got NTLMSSP neg_flags=0x62088215
>> ??NTLMSSP_NEGOTIATE_UNICODE
>> ??NTLMSSP_REQUEST_TARGET
>> ??NTLMSSP_NEGOTIATE_SIGN
>> ??NTLMSSP_NEGOTIATE_NTLM
>> ??NTLMSSP_NEGOTIATE_ALWAYS_SIGN
>> ??NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY
>> ??NTLMSSP_NEGOTIATE_VERSION
>> ??NTLMSSP_NEGOTIATE_128
>> ??NTLMSSP_NEGOTIATE_KEY_EXCH
>> SPNEGO login failed: No logon servers are currently available to
>> service the logon request.
>> session setup failed: NT_STATUS_NO_LOGON_SERVERS
>> root at TheLibrarian:/etc/samba#
>>
>
> Once I picked out your smb.conf from all the above, it became apparent
> that you are running Samba as an AD DC, not only that, but you are
> also using it as a fileserver, this isn't recommended.
>
> There are a few lines in your smb.conf that shouldn't be there:
>
> server role check:inhibit = yes
>
> This is only required to run the 'nmbd' binary, you should never
run
> this on a DC, it has its own version built in. If you are running the
> 'nmbd' binary, I suggest you turn it off.
>
> winbind enum users = yes
> winbind enum groups = yes
>
> Those are not required and can slow things down.
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> idmap config RAHIM-DALE:backend = ad
> idmap config RAHIM-DALE:schema_mode = rfc2307
> idmap config RAHIM-DALE:range = 100000-999999
> idmap config RAHIM-DALE:unix_nss_info = yes
>
> username map = /etc/samba/user.map
>
> Those are only used on a Unix domain member and do nothing on a DC.
>
> Having got that out of the way, You command works for myself, but I
> only use a DC for authentication.
>
> Can I suggest you upgrade to a Samba supported version by using Debian
> backports, this will get you 4.17.6. Can I also suggest you
> investigate running Samba as a Unix domain member instead of using the
> DC and just use the DC for authentication.
>
> I would also check a couple of files, /etc/resolv.conf which should
> contain:
>
> search rahim-dale.org
> nameserver 'THE_DCS_IPADDRESS'
>
> /etc/hosts
>
> 127.0.0.1 localhost
> 'THE_DCS_IPADDRESS' thelibrarian.rahim-dale.org thelibrarian
>
> Please try the above and report back
>
> Rowland
>
Thanks Rowland. I was pretty sure it's a DNS issue as the various tests
suggested in
https://wiki.samba.org/index.php/Linux_and_Unix_DNS_Configuration fail.
However my resolv.conf and hosts files were already as you suggested. I
am using systemd networkd, if that makes any difference.
Removing the lines you flagged from smb.conf didn't fix the issue. In
fact, smb.conf fails testparm without a valid idmap config. Conversely
the Samba Wiki at
https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC
warns that adding idmap config to smb.conf will cause the samba service
to fail.
So now I'm at the point that the samba service refuses to start.
I'm loath to upgrade the samba version from the Debian version without a
clear benefit, It doesn't look like it would fix the problem I'm having.
Nor does this look like it's related in any way to using the DC as a
file server - something I've been doing for two decades without
problems. The Samba Wiki caveats seem more related to organizational
issues than technical ones.
I'm considering tearing down everything and starting fresh. Decades of
accumulated crud could be real problem, since virtually everything I've
read suggests that a simple setup like mine should just work.